API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 22nd, 2013
266
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.10 KB | None | 0 0
raw download clone embed print report
  1. Warning: Unable to locate ipset utility, disabling ipset support
  2. *filter
  3. :INPUT DROP [0:0]
  4. :FORWARD DROP [0:0]
  5. :OUTPUT DROP [0:0]
  6. :delegate_input - [0:0]
  7. :delegate_output - [0:0]
  8. :delegate_forward - [0:0]
  9. :reject - [0:0]
  10. :input_rule - [0:0]
  11. :output_rule - [0:0]
  12. :forwarding_rule - [0:0]
  13. :syn_flood - [0:0]
  14. :zone_lan_input - [0:0]
  15. :zone_lan_output - [0:0]
  16. :zone_lan_forward - [0:0]
  17. :zone_lan_src_ACCEPT - [0:0]
  18. :zone_lan_dest_ACCEPT - [0:0]
  19. :zone_lan_dest_REJECT - [0:0]
  20. :input_lan_rule - [0:0]
  21. :output_lan_rule - [0:0]
  22. :forwarding_lan_rule - [0:0]
  23. -A zone_lan_input -m comment --comment "user chain for lan input" -j input_lan_rule
  24. -A zone_lan_output -m comment --comment "user chain for lan output" -j output_lan_rule
  25. -A zone_lan_forward -m comment --comment "user chain for lan forwarding" -j forwarding_lan_rule
  26. :zone_wan_input - [0:0]
  27. :zone_wan_output - [0:0]
  28. :zone_wan_forward - [0:0]
  29. :zone_wan_src_REJECT - [0:0]
  30. :zone_wan_dest_ACCEPT - [0:0]
  31. :zone_wan_dest_REJECT - [0:0]
  32. :input_wan_rule - [0:0]
  33. :output_wan_rule - [0:0]
  34. :forwarding_wan_rule - [0:0]
  35. -A zone_wan_input -m comment --comment "user chain for wan input" -j input_wan_rule
  36. -A zone_wan_output -m comment --comment "user chain for wan output" -j output_wan_rule
  37. -A zone_wan_forward -m comment --comment "user chain for wan forwarding" -j forwarding_wan_rule
  38. -A INPUT -j delegate_input
  39. -A OUTPUT -j delegate_output
  40. -A FORWARD -j delegate_forward
  41. -A delegate_input -i lo -j ACCEPT
  42. -A delegate_output -o lo -j ACCEPT
  43. -A delegate_input -m comment --comment "user chain for input" -j input_rule
  44. -A delegate_output -m comment --comment "user chain for output" -j output_rule
  45. -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
  46. -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  47. -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  48. -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  49. -A syn_flood -p tcp --syn -m limit --limit 25/second --limit-burst 50 -j RETURN
  50. -A syn_flood -j DROP
  51. -A delegate_input -p tcp --syn -j syn_flood
  52. -A reject -p tcp -j REJECT --reject-with tcp-reset
  53. -A reject -j REJECT --reject-with port-unreach
  54. -A zone_wan_input -p 17 -s fe80::/10 -d fe80::/10 --sport 547 --dport 546 -m comment --comment "Allow-DHCPv6" -j ACCEPT
  55. -A zone_wan_input -p 58 --icmpv6-type 128 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  56. -A zone_wan_input -p 58 --icmpv6-type 129 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  57. -A zone_wan_input -p 58 --icmpv6-type 1 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  58. -A zone_wan_input -p 58 --icmpv6-type 2 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  59. -A zone_wan_input -p 58 --icmpv6-type 3 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  60. -A zone_wan_input -p 58 --icmpv6-type 4/0 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  61. -A zone_wan_input -p 58 --icmpv6-type 4/1 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  62. -A zone_wan_input -p 58 --icmpv6-type 133 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  63. -A zone_wan_input -p 58 --icmpv6-type 135 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  64. -A zone_wan_input -p 58 --icmpv6-type 134 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  65. -A zone_wan_input -p 58 --icmpv6-type 136 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Input" -j ACCEPT
  66. -A zone_wan_input -p 58 --icmpv6-type 128 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
  67. -A zone_wan_input -p 58 --icmpv6-type 129 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
  68. -A zone_wan_input -p 58 --icmpv6-type 1 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
  69. -A zone_wan_input -p 58 --icmpv6-type 2 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
  70. -A zone_wan_input -p 58 --icmpv6-type 3 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
  71. -A zone_wan_input -p 58 --icmpv6-type 4/0 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
  72. -A zone_wan_input -p 58 --icmpv6-type 4/1 -m limit --limit 1000/second -m comment --comment "Allow-ICMPv6-Forward" -j ACCEPT
  73. -A zone_lan_forward -m comment --comment "forwarding lan->wan" -j zone_wan_dest_ACCEPT
  74. -A zone_lan_input -j zone_lan_src_ACCEPT
  75. -A zone_lan_forward -j zone_lan_dest_REJECT
  76. -A zone_lan_output -j zone_lan_dest_ACCEPT
  77. -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
  78. -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
  79. -A zone_lan_dest_REJECT -o br-lan -j reject
  80. -A delegate_input -i br-lan -j zone_lan_input
  81. -A delegate_forward -i br-lan -j zone_lan_forward
  82. -A delegate_output -o br-lan -j zone_lan_output
  83. -A zone_wan_input -j zone_wan_src_REJECT
  84. -A zone_wan_forward -j zone_wan_dest_REJECT
  85. -A zone_wan_output -j zone_wan_dest_ACCEPT
  86. -A zone_wan_dest_ACCEPT -o 6in4-henet -j ACCEPT
  87. -A zone_wan_src_REJECT -i 6in4-henet -j reject
  88. -A zone_wan_dest_REJECT -o 6in4-henet -j reject
  89. -A delegate_input -i 6in4-henet -j zone_wan_input
  90. -A delegate_forward -i 6in4-henet -j zone_wan_forward
  91. -A delegate_output -o 6in4-henet -j zone_wan_output
  92. -A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
  93. -A zone_wan_src_REJECT -i eth1 -j reject
  94. -A zone_wan_dest_REJECT -o eth1 -j reject
  95. -A delegate_input -i eth1 -j zone_wan_input
  96. -A delegate_forward -i eth1 -j zone_wan_forward
  97. -A delegate_output -o eth1 -j zone_wan_output
  98. -A delegate_input -j reject
  99. -A delegate_output -j reject
  100. -A delegate_forward -j reject
  101. COMMIT
  102. *mangle
  103. :mssfix - [0:0]
  104. -A FORWARD -j mssfix
  105. -A mssfix -o 6in4-henet -p tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
  106. -A mssfix -o eth1 -p tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
  107. COMMIT
  108. *raw
  109. :notrack - [0:0]
  110. -A PREROUTING -j notrack
  111. COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!